Hi all,
Have a question about implementing a IPsec tunnel on a pfSense box, and what would happen if the tunnel drops due to a transit network outage, etc.
BACKGROUND INFO: We have pfSense box acting as a firewall/router where the "LAN" side is our network, and the "WAN" side is the private network link to the parent company (which does not provide Internet access - we have our own Internet WAN link for that.) We route certain parent-co networks from our core towards the pfSense box, which has its default gw as the IP of the onsite parent-co router terminating the private WAN link (happens to be MPLS over bonded T-1s.) Also, our co's admin domain ends at the pfSense box; we have no admin (or other) access to the parent-co's equipment onsite. The parent co in turn has no admin/other access to our network, other than us allowing traffic destined to certain of our internal servers.
Now, management wants me to engineer a IPsec s2s tunnel for the traffic bound for parent-co that would route over our regular Internet connection, and keep the default route on the pfSense box as a backup link, in case the IPsec tunnel over Internet fails. My manager thinks this IPsec tunnel could be done on the pfSense box, and have everything else stay the same. I am not a networking guru (jack of all trades, know what I know about networking but certainly not a CCIE-level fellow) but I'm pretty sure this would not work... I have the following questions about this:
1) I'd have to have a Phase 1 remote gw that is routed thru the Internet, so I guess I'd need to drop a route on the pfSense box for at least that gateway IP, that next hops our router out the pfSense LAN interface?
2) Then, when I define the remote networks for parent-co on multiple Phase 2 SAs, would the traffic from these tunnels be subject to firewall policy? (Or, how could this happen?)
3) (this is the big one in my mind) What would happen to traffic bound for parent-co if the IPsec tunnel fails? Would it revert to transit out the current default gateway, or just be dropped?
I have thought about this, and am thinking I could just implement another router connected to a second WAN port (opt1) of the pfSense box, which would implement an IPsec tunnel matching all traffic; then have two default routes on the pfSense firewall, main one pointing to the IPsec tunnel router, and a backup one to the current parent-co router (having the MPLS link.) But, that means buying another router... It would be great to be able to do this with what I have now (i.e., just use the pfSense box) unless that would be horrifically complex, or unachievable.
Thanks in advance to anyone who helps me think this through, and answer my questions... Definitely a bit more complexity than I've handled before, but also a great learning opportunity!
No comments:
Post a Comment